M i c r o p r o c e s sot s i n ra iiway

s i gn ailing: e S olid- S t a te
Interlocking
Safety and operational efficiency are two often conflicting requirements of
a railway signalling system. A H Cribbens shows how fault-tolerant
techniques have been applied to solve this problem

satisfy both gives rise to a great deal of the complexity of a

The paper reviews some of the techniques available to the modern signalling system.
designer of safety-critical systems and describes their For the last 30 years or so the technology of railway
application to the complex engineering requirements of signalling has relied on electromechanical devices of
main-line railway signalling, in the form of British Rail's specialized design (signalling relays) to perform safely the
Solid-State Interlocking (SSI). The design of central inter- complex logic involved in controlling train movements --
locking and track-side interface equipment is described in a function generally known as 'interlocking'. A large
terms of the redundancy techniques used and the modern signalling installation may contain as many as
organization of their hardware and software. 30 000 signalling relays and proportionally large amounts
of wiring and cabling. It is an expensive technology,
microsystems control fault tolerance railway signalling
making the benefits of introducing electronic logic
potentially large. Therefore, for a number of years, many
railway administrations have been studying the problems
British Rail Research has been concerned with the of making this radical technological change in a discipline
development of high-integrity microelectronic systems whose previous history has been one of gradual,
and their application to the general field of railway evolutionary development.
signalling and control since the microprocessor first The methods outlined in the earlier paper 1 have
appeared. Ten years ago a paper was published in the first formed the basis for the development by British Rail (BR)
issue of Microprocessors describing some early applica- of an electronic signalling system which integrates the
tions of microprocessors in railway control and some of functions of interlocking, communication and control of
the methods being used to satisfy the need for safety and track equipment. SSI is now established as standard for
reliability 1. Those methods have stood the test of time, signalling installations on main lines and other densely
and have since found application in a number of trafficked routes.
developments connected with railway signalling. The The remainder of this paper is devoted to a brief
most significant is an electronic railway signalling system discussion of techniques and a description of the SSI,with
for main-line application, known as Solid-State Inter- particular emphasis on some of the more novel aspects of
locking (SSI). the design.
From a safety point of view the most important
function of a railway signalling system is to maintain a safe
distance between trains. From an operational point of TECHNIQUES
view, however, the most important requirement is to
provide the line capacity and flexibility of movement The problem of applying microelectronic technology and
necessary to cope with the traffic. These two sets of solid-state power switching devices to vital signalling
requirements tend to be in conflict, and the need to equipment is open to a number of very different
solutions, all of which inevitably involve applying the
Research Division, The Railway Technical Centre, British Railways Board, principles of redundancy. The techniques available range
London Road, Derby DE2 8UP, UK
This paper was originally written as a contribution to the journal's 10th
from conceptually simple schemes involving hardware
anniversary issue, Vol 11 N o I (January/February 1987), but for reasons replication to conceptually complex designs with sufficient
beyond our control could not be included in the issue. We are pleased to internal redundancy to permit safety functions to be
be able to present the paper now handled by a single processor. The various techniques
0141-9331/87/05264-09 $03.00 © 1987 Butterworth & Co. (Publishers) Ltd
264 Microprocessors and Microsystems
may be further subdivided into those which seek to belongs to the category requiring explicit demonstration
eliminate risk of unsafe failure due to design errors by of design correctness, and establishing appropriate design
employing diverse design, and those for which design evaluation and software validation procedures has been
correctness must be demonstrated explicitly. The former an integral part of the development programme.
involves devoting resources to the production of multiple
diverse implementations, while the latter involves applying
design and validation procedures capable of providing Safety and availability
sufficient confidence in the integrity of the product.
It cannot yet be said that any particular approach to the Safety and availability are simply two different aspects of
design of such systems is better than any other, and it is the reliability of a redundant system. A triple redundant
partly for this reason that widely different design system is available so long as two of the three modules
philosophies and techniques have been applied by those remain operational and in full agreement. The probability
railway administrations and signalling equipment suppliers that this will not be so depends upon the module failure
who have been active in this field. The following rate and the time taken to replace a failed module; for
examples are included to illustrate the diversity and do example, a module mean time between failure (MTBF) of
not constitute an exhaustive review. 10 000 h and a mean repair time of 10 h results in a mean
Lohmann and Zillmer 2 describe a dual redundancy time to system failure of about 200 years.
technique in which two identical processors are compared On the other hand, a redundant system is safe
at the processor bus level in a redundant mechanism provided a potentially unsafe failure is detected before a
which energizes a pair of safety 'cut-off' relays. Each further failure occurs which renders the first failure, and
output function is controlled through contacts of these itself, undetectable. The probability of this event depends
relays and through the contacts of two further safety relays upon the module failure rate and the mean time to
associated only with the function and independently detection of a fault. For the systems described in this
operated by the two redundant processors. This approach paper, the theoretical mean time between unsafe failures
clearly requires very tight processor synchronization and is in the order of 106 years.
identical software execution; thus input state changes
must not be permitted to cause transient differences
within the processors. Software validation
The use of two independent software systems within a
single computer, as described by Yon Linde 3, has been The principles and techniques currently applied by BR to
applied to computer interlockings in Sweden and the validation of safety-related software have been
Denmark. In this approach safety relies on software and described by Short s. The general approach seeks to prove
data-handling diversity throughout the system, comparison consistency between the various levels of design through
of partial results and self testing of the computer hardware the following procedures
being used to improve error detection. The principle is • functional analysis, proving equivalence and complete-
maintained right through to a final fail-safe comparison of ness of the design with respect to the requirements
the diversely produced output commands in trackside specification
interface equipment. • structural analysis, proving modularity and path
An approach having similarities to the above, but also accessibility and providing a framework for later
with radical differences, has been described by semantic analysis
Rutherford 4. All state information is represented by • modular analysis, testing program modules against
redundant code words. Boolean expressions representing predicted behaviour
the interlocking logic are evaluated in two diverse • information flow analysis, relating processes to variables
software channels, producing further redundant code and detecting illegal or absent variable references
words as output. The integrity of the processor is further • high-level semantic analysis, demonstrating that the
checked by test routines which also produce output in separately validated processes combine to satisfy the
the form of redundant code words. The output state code overall requirements of the system
words are translated into final system output states • timing analysis, applied to processes with safety-critical
through a process which returns further check words timing constraints
representing the actual output states. The ultimate safety
of the system is protected by safety relays energized by a
separate processor programmed to validate the flow of SOLID-STATE INTERLOCKING
check words from the interlocking processor.
BR's present approach is much as described in the The design of the SSl aims to satisfy a number of broad
earlier paper 1, involving the use of identical subsystems in objectives, including high system availability, equipment
dual or triple redundant configurations, loosely synchro- modularity, simplicity in application and cost effectiveness
nized and running the same software. Comparison and in both small and large applications. The principal features
voting are software functions, performed on both internal of an SSI system are illustrated in Figure 1.
states and system outputs, as is the prevention of
divergent behaviour due to transient differences in
perceived input states. Redundancy management is Control centre equipment
exercised through redundant and testable hardware
mechanisms operated under software control. The The control centre equipment consists of the control
emphasis is on conceptual simplicity and the separation console, one or more electronic interlockings and a
of safety management functions from signalling logic maintenance terminal. The control console displays the
functions. It will be apparent that this general approach state of the railway and is the means of entering control

Vol 11 No 5 June 1987 265

 i
t
the rules for operating on the geographic data to produc{ ~
Control the precise signalling controls required. The program may
Train h
describer panel therefore be likened to an interpreter, and the data to a
i specialized high-level language. Two small processors are
dedicated to servicing the two trackside data highways,
C- while a fourth is dedicated to exchanging information
Panel I
over the data highway which links together the several
multiplex I

L . . . . . . interlockings of a large signalling installation.

Panel processor modules contain a single processor
which, as with the interlocking, is equipped with a
general-purpose program embodying the rules for up-
dating the control panel display and interpreting control
[ Panel processor - - commands, and a database unique to the installation
describing the particular interpretation required.
Maintenanceaid Panel p r o c e s s o r - The diagnostic module is physically identical to the
interlocking module, but is equipped with software and a
Interlocking database which enable it to monitor the performance of
Further the complete signalling system and make an accurate
Interlocking SSls diagnosis of any fault conditions. Diagnostic and status
information is passed to the maintenance terminal, which
~ Interlocking produces output in a form meaningful to the technician.
The maintenance terminal also incorporates a cartridge
- - --'[ Diagnostic tape recorder which logs all system state changes.
I
rl - - zI - - i ~ I
i I i ~ l
L 7-- J - 7- -a LTJ--'7-'--I I
--,--i I I L~_~
I L--L --I- _ _ ~ . . ~ - _ _ _~. d _ _ _ Data highway
l. . . . . ~- - -I ---~-" . . . . 4---
Trackside data high__way ] I Internaldata highway
One of the distinguishing features of SSI is the linking of
the control centre equipment to electronic trackside
interface equipment by means of a data highway. As the
~ modoles ~ data highway carries safety information and is the sole link
Signalling Signalling between the interlocking and the area of railway it
equipment equipment controls, its security and availability are vitally important.
Figure 1. Overall structure of the SSI system The distribution of data to trackside interface equipment
is achieved using baseband transmission at 20 kbyte s-1
commands into the system. It may take the form of a in screened twisted-pair cable. Transmission integrity is
conventional mimic diagram with push-button controls, protected by two levels of information coding, used
or it may be a VDU display system with keyboard or exclusively for error detection, and by the use of relatively
tracker ball input. large signal levels in the dedicated cables. Transmission
Each interlocking is a fault-tolerant, high-integrity distortion limits the useful range of this technique to
information processing system consisting of a number of about 10km without repeaters. Using bidirectional
microcomputer modules of specialized design arranged baseband repeaters a range of about 40 km is achievable.
in the configuration shown in Figure 2. A pair of panel Where longer distances are involved, or where other
processor modules, operating in a duplex standby mode, circumstances make the economics favourable, the
relieves the safety interlocking of the nonsafety task of baseband highway may be linked to the control centre
servicing the control panel. Three interlocking modules over a standard 64 kbyte s-1 telecommunications data
operate as a repairable triple redundant system, providing channel. Further encoding and protocol changes are
single fault tolerance, failure to a safe condition in the necessary to maintain the integrity of the SSI data stream
event of multiple faults and very high availability. A in this case.
diagnostic module monitors the operation of the inter-
locking system and provides installation-specific diagnostic
information to the maintenance terminal. Access to the
data highways is provided by the data link modules, Lineside equipment
which are biphase data transmitters and receivers of
specialized design. The ultimate conversion from low-level serial data to and
The interlocking modules contain four microcomputers from parallel inputs and outputs at signalling equipment
which, in common with all the safety-critical elements of power levels is handled by trackside interface modules,
SSI, are built around the 6802 processor. The largest of the which are complex high-integrity systems in their own
four is responsible for the module's redundancy manage- right. Their function is to maintain safe local control of
ment functions and executes all the interlocking logic. It signal lamps, point machines and other items of signalling
has 60kbyte of EPROM space to accommodate a equipment, and to communicate to the interlocking t h e
program of completely general application and a set of s t a t e of system inputs derived from such equipment. The
'geographic' data, which is a database unique to a specific two types of module developed so far enable the great
application. The general-purpose program embodies majority of interfacing requirements to be accommodated
many of the standard principles of signalling and contains without resort to the use of relays. They are a points

266 Microprocessors and Microsystems

 Control panel

Outputs Inputs

Multiplexer

Part of
control panel

Scanner Scanner

Panel Panel
processor processor

t t
Interlocking Interlocking Interlocking
Z
r 'll
processor processor 0rocessor

TCP TCP ICP

"---- I ' I
1
I
I
-----t----- [
I
1- 3 I
v~
I I

Data link Data link Data link Data link

module module module module

Trackside data highway Internal data highway

Figure 2. Internal structure of an SSI system

module, which is designed to connect directly with C E N T R A L I NTER LOCKI NG S Y S T E M

hydraulic point machines, and a signal module which,
although being designed primarily to provide an efficient
interface to multiaspect colour light signal heads, has the Hardware
flexibility to satisfy the requirement for a general-purpose
interface. In both modules, power switching is fully solid The intemal structure of an interlocking module is
state. illustrated in Figure 3. The hardware features of the main

Vol 11 No 5 June 1987 267

interlocking processor are determined predominantly by allocated to program. The lower 4 kbyte i~ allocated t ,
the requirements of the redundancy management function the memory-mapped I/O and working memory, which it
and the need to exchange information with the panel and a 2k x 8 bit CMOS static RAM. This 'state-of-the-railway
communications processors. Redundancy management memory is capacitor supported to enable the system to
requires parallel I/O for the control, testing and monitoring survive power supply interruptions without losing certain
of the module isolation hardware within its own module controls on system behaviour which can only be input by
and within the two other modules of the redundant a qualified technician.
system. Serial I/O is also required for the information The two trackside communications processors (TCPs)
exchange with the other modules necessary to prevent are identical minimal chip-set designs making use of the
divergence. 6802's onboard RAM for working memory. The internal
Communication with the two panel processors is also communications processor (ICP), which handles infor-
in serial form, whereas the transfer of data to and from the mation exchange with other interlockings, is broadly
three communication processors takes place over two similar in design.
4-bit and one 8-bit parallel connections. The various I/O All external connections to the modules are optically
functions are provided by three versatile interface adaptors isolated. The only safety-related outputs are the serial
and one ACIA. data outputs from the communication processors, which
The memory space of the interlocking processor is are energized through the redundancy management
decoded to allow the top 60 kbyte to be used for EPROM hardware. The comparison and voting on these outputs is
storage of program and data, with the top 20 kbyte a software function and is described below. The serial

1cZ"
~ , TCP • ~ - - Mod.B
Mod.C
Mod.B

f Mod.C

DLM1
I

i cPu

•
1 Optical
DLM2 ~ i iJ[ interface 1 ~ l I

-- PPM1
iPnrPt~i~lsc°er ~ ! - - PPM2

c u- EPR°u

Program Data
memory memory
(EPROM) (EPROM)

int%riac'e ~ VIA
DLM4 Interlocking processor

Figure 3. Internal structure of an interlocking module

268 Microprocessors and Microsystems

data exchange with the panel processors does not carry • updating timers, routine housekeeping and redundancy
vital safety information, but it is nevertheless important to management functions
the availability of the system that errors or malfunctions at
The duration of a minor cycle is allowed to vary according
this interface do not prevent proper operation. To
to the complexity of the interlocking function associated
maximize availability in this area the three interlocking
with the outgoing message, subject to a minimum of
modules communicate individually with the panel
9.5 ms required by the data highway message protocol
processors, which each perform a two-out-of-three vote
and a minimum of 30 ms set by other timing constraints.
on the received data. The two panel processors send data
The interlocking software comprises about 4 kbyte for
to the interlocking modules alternately under individual
redundancy management, initialization and interfacing
interlocking processor control.
functions, and about 12 kbyte for the interlocking function
The redundancy management mechanism is, in effect,
itself. The size of the geographic database varies with the
a redundant and testable means of removing power from
complexity of the installation, but is typically 12-20 kbyte.
the serial interfaces which carry safety information. The
The primary function of the two trackside communica-
mechanism is operable, and also testable, by the parent
tion processors (TCPs) is to handle the flow of information
processor acting alone or by the other two processors
between the interlocking processor and the trackside
acting together. Any voting diagreement or failure of a
data highway. Two TCPs are provided because significant
redundancy management test results in the faulty module
differences in transmission path length are permitted
being removed from the system. When one of the three
which prevent one processor handling both message
modules is removed in this way the surviving two
streams. Information passed from the interlocking
automatically reconfigure as a two-out-of-two redundant
processor is subjected to both Hamming and Manchester
system, and the failed module can be replaced and
coding before transmission, and messages received from
brought back into operation without apparent disruption
the highways are likewise checked for coding validity
to the interlocking function. In fact, the transfer of
before the received data is passed on to the interlocking
information necessary to educate the new module with
the current state of the system takes about 150 ms, during processor. The integrity of outgoing data is protected by a
redundant check of each bit as it is sent. If an error is
which time the interlocking function is suspended.
detected the data highway is forced into a Manchester
invalid state (e.g. all ones), causing the entire message to
Software be rejected as invalid. Fault analysis software enables the
triple redundant system to identify which module is
The interlocking function essentially involves maintaining responsible for incorrect data and take the appropriate
an up-to-date record of the state of the railway and action.
applying a defined set of rules to all state changes. The The processor handling communication with other
state of the railway is described in terms of real entities, interlockings over the internal data highway (the ICP) has a
such as track occupancy, signal aspects and point settings, particularly difficult job to do, as it is impossible to
and abstract functions associated with the principles of synchronize one interlocking with another. The flow of
railway signalling, such as overlaps, approach locking and information of the internal data highway is therefore
train-in-section proving. In the SSI this representation of asynchronous with respect to the interlocking process
the railway is held in read/write memory in the form of and has to be organized solely by cooperation between
arrays of variables representing the states and attributes of the several ICPs, each of which also has to maintain
signals, points, routes and track circuits. Other variables synchronization with its parent interlocking. In addition,
are reserved for latches and timers and for maintaining an the ICP initialization has to be able to cope with all the
up-to-date record of the system's input and output states. possible start-up modes of the triple redundant system
The interlocking performs a full cycle of operation, and with all possible initial states of the data highway.
referred to as a major cycle, approximately every 650 ms. Fault analysis and safety management is handled in a
A major cycle is made up of 64 minor cycles, each of similar way to the TCP.
which involves the interlocking processor in the following
operations
Geographic database
• an exchange of information with the two processors
handling the trackside data highway communications; A special design language has been developed for use by
the data to be transmitted in the current cycle is the signal engineer in describing the requirements of
exchanged for the data received during the previous particular installations. Its structure and syntax are
cycle unavoidably complex, but the principle is well illustrated
• an exchange of information with the panel processors; by a simple example. The following data construct is a
a block of 'state-of-the-railway' information is passed database entry which might be written to tell the
to the panel processors and a panel request code is interlocking the conditions which must be applied to a
passed to the interlocking request to set a particular route.
• an exchange of information with the communication
processor handling safety-level communication with *QR11B if R11(2M) a, P103 qnf, P105 qnf,
the other interlockings of the installation U56AB f, U60AB f
• updating the 'state-of-the-railway' record from infor- then R11(2M) s, U44BA I, U48CB I, U52CA I
mation received U54BA I, U56BA I, U58BA I, 060BA I,
P103 qn, P105 qn/.
• performing the interlocking logic for the signalling
functions associated with the data to be passed to the *QR11 B is a label used by the data compiler. The construct
trackside communication processors at the start of the consists of the logical statement 'if', followed by a set of
next minor cycle conditions which must be true for the route to be

Vol 7"1 No 5 June 1987 269

available, and the logical statement 'then', followed by a • to manage the system redundancy 'o er~sur¢~ ,.,~r(,
list of actions to be taken if the request can be executed. It behaviour under fault conditions
reads • to receive and decode data highway message.,
'IF Route 11 (2M) is available (i.e. not already set) AND Points addressed to the module, and to assemble, encode
103 and 105 are in, or free to move to, the normal position and transmit replies; to diagnose and report data
AND Subroutes 56AB and 60AB are free, THEN set Route highway unreliability and impose safe conditions when
11(2M), lock Subroutes 44BA, 48CB etc., lock Overlap 60BA, communication is lost
and normalize Points 103 and 105' • to detect the states of external switch or relay contacts
• to control and monitor the state of power level outputs
This statement compiles into about 30 byte of machine
and the power interface fault protection mechanism
readable data.
In addition, the signal module is required to monitor
signal lamp current and to ensure the illumination of the
red signal lamp under fault conditions. The points module
TRACKSIDE INTERFACES is required to detect the position of the points being
controlled and to control the switching of a high-current
A trackside interface module is a selfcontained safe nonsafety interface to hydraulic pump motors.
controller which is designed to be connected directly to a Safe control of the modules is maintained using the
signalling apparatus such as signal heads, point machines dual-processor technique described previously~. Although
and track circuit equipment. It responds to commands the technique is capable in principle of satisfying the
from the interlocking, with which it communicates over stringent safety requirements of trackside interface
the trackside data highway, and sends back to the modules, translating these principles into a robust
interlocking information about the state of the railway. Of mechanism for switching AC at relatively high power
the two types of module so far developed, the points levels presents considerable difficulties. The solutions
module is specifically designed for direct connection to adopted for the two types of module reflect subtle but
hydraulic point machines, while the signal module is a fundamental differences in safety requirements and the
flexible general-purpose interfacing unit which has been wish to maintain a degraded performance in the presence
optimized for use in connection with multiaspect colour of faults where this can be achieved without com-
light signals. promising safety.
The two types of trackside interface modules are The internal structure of both types of trackside
required to carry out the following functions interface module is illustrated in Figure 4. The design aims

Power
supply

From I Data I I Microprocessor

4[
~"
I Power
i isolation ]
DLMs I input I I A

Output - .~-
),~ To signal
circuits _ ~ . ~ heads, point
- - 1 ~ machines etc.

Processor
redundancy
management

C°de l ~ To external
I output I contacts

I
To Microprocessor
DLMs B Input From external
isolation ~ - - ~ - contacts

Figure 4. Internal structure of a trackside interface module

270 Microprocessors and Microsystems

to divorce the management of processor redundancy control each triac. Any fault results in the power interface
from the safety management of the power output being permanently disabled.
switching function. Only the failure of one or both The safety outputs of a points module are isolated
processors, or an irreconcilable difference of opinion from the controlling triac by the normally open contacts
between the two, causes total (safe) failure of the module. of two relays, independently controlled by the two
Other failures cause only partial loss of function and are processors. In order to energize an output it is necessary
reported to the diagnostic processor in the control centre. to close both relays and turn on the triac. At all other times
(moving a set of points typically takes 2-3 s) the condition
of the triac and relay contacts is constantly monitored
Power interface safety management and, if any of these three lines of defence is suspect, the
associated points interface is declared unusable and the
The two essential distinctions between signal and points fault reported. The integrity of the monitoring arrange-
modules are: that signal lamps are normally energized for ments is regularly tested by deliberately operating the
long periods, whereas point machines are energized only triac or one of the relays.
for the time taken to move the points; and that it is The philosophy adopted is therefore one of testable
permissible to allow a signal lamp to be incorrectly redundancy, in that there is always more than one
energized for short periods (~ 100 ms), whereas no mechanism available for the processor to maintain the
transient energization of a point machine is allowable integrity of its power interface, and each mechanism and
under any circumstances. Power interface safety manage- the means of testing it is regularly tested for availability.
ment for the signal module therefore aims to provide a
means of enforcing safe output states in the event of an
incorrectly energized output being detected, whereas for Voltage sensing and contact detection
the points module the aim is to maintain electrical
isolation of the safety outputs at all times other than when Power interface safety management depends on the
the points are required to be moved. ability to sense supply frequency voltages, and in
The essentials of the technique are illustrated in Figure 5. particular to determine whether the voltage at a module
The signal power interface is protected by two normally output exceeds a certain amplitude. This function has
open miniature relays placed in series and independently been implemented in a way which integrates conveniently
energized by the two processors. Energization of the with mechanisms for sensing signal lamp currents and the
relays requires the presence of an enabling supply from state of external contacts. The principles are illustrated in
the processor redundancy management circuit and the Figure 6.
application of a dynamic refresh at intervals of not more The voltages to be monitored are passed through a
than 100ms. These relays are normally energized, potential divider and added to a DC reference. Currents
supplying power to an array of triacs which switch 110 V are passed through a suitable small resistance. The
AC under processor control. The safe output condition is resulting small-amplitude 50 Hz waveforms are sampled
imposed by attempting to turn off all triacs and halting the by an analogue multiplexer and compared with an offset
dynamic drive to the relays. The ability to de-energize the reference which establishes a threshold level, the
protection relays is tested periodically, as is the ability to comparator output being read by the processor. Each
voltage waveform is sampled in this way 32 times over the
20 ms supply cycle, and the number of samples exceeding
Sunnlv c v - v , I -('bJ~...~L~ Output 11
~ " AR-- B"" T "" l v(110VAC) the threshold is interpreted in terms of voltage amplitude.
Test o A ¢- ^ ¢ The two independent sets of hardware are arranged such
vo,tage Triac.o I I that the two processors respond to opposite half cycles of
RM O ~ O y n a m i c ~ - ~ l control I ~fl I ]
enable II relay I IOutput~'A~ ~ J ( [ the waveform. The integrity of the voltage sensing
rocessZ check, I I hardware is to a large extent checked automatically during
normal operation; however, additional checks are carried
A I r-------~ | I
refresh L~Dvnarnic~ 1 'r One of eight out as part of the periodic testing of the isolation
^ [ re!ay [ [ Output output circuits mechanisms.
"[Eu---1 clrlver ~ circuits
Processor BR 2- 8 External contacts are sensed by passing a coded signal
B through them. A Manchester-coded pseudorandom
refresh
sequence is generated by the processors and transformer
a coupled to the external circuit. The switched return is
optically coupled into the two multiplexing circuits used

Relay ['A-~----I C°n!act-~llL~- O. ~ • I/P ADDR L Multiplex

Triac ]'A~ I checks].B4-] sensing Analogue r ~ address
checkstB-= I l - . 0 + Voltage~f~ ~
sensing ~ ~ multiplexerl i f"-
Supply outputs liP O / P ~ Sample
Triac C ' if (110 V DC) " L " joReference
control . ¢. v .. 0- Cu rr.ent ~ voltage
BR sensing
( Relay drivers not shown)
b o-r
Figure 5. Trackside-module power interface isolation Figure 6. Trackside-module voltage sensing and contact
mechanisms: a, signal module; b, points module detection

Vol 11 No 5 June 1987 271

for voltage sensing and subjected to the same sampling
and comparison process. The code rate is such that From 1962 until 1970~ 4 ~
sampling of the 32 Manchester half bits is synchronous Cribbens was at ~h,~
with and interlaced with voltage sampling. Department ot Electronic
Voltage sensing, current sensing and contact detection and Electrical £ngineering at
are carried out at the program cycle rate, typically every University College London,
50 ms. UK, where he obtained a BSc
in engineering in •965 and a
PhD in 1969~ His post-
PILOT S C H E M E graduate research interests
were in the field of
The first SSI scheme was commissioned at Leamington microwave engineering and
Spa, UK, on 8 September 1985. The previous installation radio astronomy. Since 1970
was modern in layout and equipped with colour light he has been with the Research Division of British Rail,
signals and electric point machines, but was operated holding a number of positions concerned with railway
from an ex-Great-Western-Railway mechanical inter- control and signalling. In his present position as head of
locking. Its relatively small size (about 15 route km) is well microelectronics he is responsible for the development
suited to a first scheme. Leamington has 35 signals, 15 sets and application of the specialized hardware and
of points, 48 track circuits and 71 routes, and the 40 software techniques necessary to exploit micro-
lineside interface modules required amount to about two electronic technology in safety-related applications.
thirds of the capacity of one SSI. The contractors for the
installation were GEC General Signal and Westinghouse
Signals, who have collaborated jointly with BR in the
engineering development of the system.
As with any new development, installing and operating
2 Lohmann, H J and Zillmer, A 'Safety principle and
a full-scale system has shown the need for certain
fail-safe analysis of electronic interlocking devices
improvements prior to large-scale application. Even so,
and practical realisation of electronic interlockings'
performance and reliability have been good and none of
Proc. IRSE Int. Conf. Railway Control and Automation
the proposed improvements reflects any fundamental
Towards the 21st Century, London, UK (1984) pp 41-48
deficiency in the SSI concept. An SSI installation is in
3 Von Linde, O B 'Computers can now perform vital
commission at Inverness, UK; this is the first multi-
functions safely' Railway Gazette Int. (November
interlocking system. Further installations are planned for
1979) pp 1004-1007
York, Newcastle, Glasgow North and London Liverpool
4 Rutherford, D B 'Failsafe microprocessor interlocking
Street, UK, and a number of other locations.
with safety assurance logic--establishing a vital
benchmark' Proc. IRSE Int. Conf. Railway Control and
REFERENCES Automation Towards the 21st Century, London, UI(
(1984) pp 72-76
Cribbens, A H, Newing, D H and Ryland, H A 'The 5 Short, R C 'Software validation for a railway signalling
microprocessor as a railway control system com- system' in Bayliss, J A (ed.) Proc. IFAC Conf. Safety of
ponent' Microprocessors Vol 1 (1976) pp 44-47 Computer Control Systems (1983) pp 183-193

272 Microprocessors and Microsystems